Publicly exposed, critically vulnerable and highly privileged workloads are putting organizations at risk of cloud data losses and cyberattacks, according to a Tenable report, which labeled the vulnerabilities a “toxic cloud triad”.

The study highlighted a series of alarming vulnerabilities in cloud infrastructures, with 84% of organizations found to be using risky access keys.

These unused or longstanding access keys come with critical or high-severity excessive permissions, representing a major security gap that puts organizations at significant risk.

Analysis across major platforms like Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure revealed nearly a quarter (23%) of cloud identities — both human and non-human — are also granted excessive permissions with critical or high severity.

Nearly three-quarters (74%) of organizations are exposing their storage assets publicly, often with sensitive data at risk.

Similarly, 78% of organizations have publicly accessible Kubernetes API servers, with 41% allowing inbound internet access and 58% assigning unrestricted control to users through cluster-admin role bindings, amplifying the risk of unauthorized access and system control.

Bernard Montel, technical director EMEA, Tenable explained key risk factors include having workloads that are publicly exposed, even when there might not be a legitimate business reason for doing so, having critical vulnerabilities that have not been remediated and having access privileges that are excessive.

“Part of the challenge is that each of these factors is managed by a different team and with their own siloed tools that don’t easily communicate or provide a complete picture of what’s happening in the environment,” he said.

At times cloud or DevOps teams are provisioning services directly to the cloud without referring or working with the security team.

“This makes it very difficult to have a complete view of the environment,” Montel said.

He said organizations must be able to analyze their identity privileges, vulnerabilities, misconfigurations and overall data risk in context to fully evaluate their cloud security risk and make smart decisions about remediation.

In addition to these identity and access management issues, other serious vulnerabilities persist, including CVE-2024-21626, a severe container escape vulnerability that could allow attackers to compromise server hosts.

This vulnerability has remained unpatched in over 80% of workloads, even 40 days after it was publicly disclosed, a delay in remediation which the report said poses a significant threat to cloud security.

Network Segmentation, Zero-Trust

Rom Carmel, Co-Founder and CEO at Apono said to mitigate these risks, businesses that operate primarily in the cloud should adopt several best practices.

These include least-privilege access policies, Just-in-Time (JIT) access, and continuous vulnerability management to close security gaps before they are exploited.

“Network segmentation, multi-factor authentication, and zero-trust principles can further reduce exposure,” he said.

Additionally, regular backups and comprehensive incident response plans are crucial for minimizing downtime and ensuring recovery in the event of an attack.

“By implementing these strategies, businesses can better safeguard their cloud environments and minimize the long-term impact of the toxic cloud triad,” Carmel said.

Integrate Security Across Layers

Jason Soroko, senior fellow at Sectigo, said organizations can balance cloud flexibility with stricter security measures by integrating security into every layer of their cloud infrastructure management, especially when dealing with complex environments like containers and Kubernetes.

“Adopting DevSecOps practices ensures that security considerations are embedded throughout the development and deployment processes without hindering agility,” he explained.

Utilizing automation tools for security tasks, such as automated vulnerability scanning and compliance checks, allows for rapid scaling while maintaining robust security.

Meanwhile, implementing role-based access control (RBAC), network policies, and namespaces within Kubernetes clusters can restrict unauthorized access and limit potential damage from compromised components.

Incorporating security policies as code and embedding security checks into CI/CD pipelines ensures consistent enforcement of security standards.

“By fostering a culture where security is a shared responsibility and leveraging advanced security technologies, organizations can achieve a harmonious balance between flexibility and stringent security requirements,” Soroko said.